oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
aa5c525e71bb0b799ce49b9b024f0d45c57f1ab0
heimdal/lib/hx509/hxtool-commands.in
Nicolas Williams 8af2d79d35 hx509: Add missing CSR extension request support 
This is necessary in order to add proper support for CSRs in kx509,
where the KDC can examine all requested KUs/EKUs/SANs, check
authorization, and issue a certificate with all those extensions if
authorized.

This is the convention used by OpenSSL, of encoding all the KU, EKUs,
and SANs being requested as Extensions as they would appear in the
TBSCertificate, then putting those in as a single Attribute in the CSR's
Attributes list with attribute OID {id-pkcs-9, 14}.

 - expose all hx509_request_*() functions
 - finish support in hx509_request_parse*() for KU, EKU, and SAN CSR
   attributes
 - finish support in hx509_request_to_pkcs10() for encoding all
   requested KU, EKU, and SAN extensions as a CSR extReq (extension request)
 - add hx509_request_add_*() support for:
    - id-pkinit-san and ms-upn-pkinit-san
    - XMPP (Jabber) SAN
    - registeredID (useless but trivial)
 - add hxtool request-create options for all supported SANs
 - add hxtool request-create options for KeyUsage
 - add hxtool request-create options for ExtKeyUsage
 - add hxtool request-print support for all these things
 - fix bugs in existing id-pkinit-san handling

Possible future improvements

 - add HX509_TRACE env var and support (it would be nice to be able to
   observe why some certificate is rejected, or not matched in a query)
 - add testing that CSR creating and printing round-trip for all KUs,
   EKUs, and SANs
   (probably in tests/kdc/check-pkinit.in)
 - add testing that OpenSSL can print a CSR made by hxtool and
   vice-versa
 - hxtool ca: add KU sanity checking (via hx509_ca_sign() and/or friends)
   (don't allow encrypt for signing-only algs)
   (don't allow encrypt for RSA at all, or for RSA with small e exponents)
 - hxtool request-print: warn about all unknown attributes and
   extensions
 - hxtool ca: MAYBE add support for adding requested extensions from the
   --req=CSR
   ("Maybe" because CA operators should really verify and authorize all
    requested attributes, and should acknowledge that they have, and the
    simplest way to do this is to make them add all the corresponding
    CLI arguments to the hxtool ca command, but too, that is
    error-prone, thus it's not clear yet which approach is best.
    Perhaps interactively prompt for yes/no for each attribute.)
 - add additional SAN types:
    - iPAddress                 (useless?)
    - dNSSrv                    (useful!)
    - directoryName             (useless, but trivial)
    - uniformResourceIdentifier (useful)
 - it would be nice if the ASN.1 compiler could generate print
   functions..., and/or even better, to-JSON functions
 - it would be nice if we had a known-OID db, including the names of the
   types they refer to in certificate extensions, otherName SANs and CSR
   attributes, then we could generate a CSR and certificate printer for
   all known options even when they are not supported by the rest of
   Heimdal
    - and we could also get friendly names for OIDs, and we could
      resolve their arc names
    - longer term, we could also stand to add some ASN.1 information
      object system functionality, just enough to make
      lib/hx509/asn1_print awesome by being able to automatically decode
      all heim_any and OCTET STRING content (better than its current
      --inner option)
2019-10-08 22:20:40 -05:00

869 lines
17 KiB
Plaintext
Raw Blame History

/*
* Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
command = {
name = "list-oids"
help = "List known OIDs"
function = "hxtool_list_oids"
min_args="0"
max_args="0"
}
command = {
name = "cms-create-sd"
name = "cms-sign"
option = {
long = "certificate"
short = "c"
type = "strings"
argument = "certificate-store"
help = "certificate stores to pull certificates from"
}
option = {
long = "signer"
short = "s"
type = "string"
argument = "signer-friendly-name"
help = "certificate to sign with"
}
option = {
long = "anchors"
type = "strings"
argument = "certificate-store"
help = "trust anchors"
}
option = {
long = "pool"
type = "strings"
argument = "certificate-pool"
help = "certificate store to pull certificates from"
}
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
option = {
long = "peer-alg"
type = "strings"
argument = "oid"
help = "oid that the peer support"
}
option = {
long = "content-type"
type = "string"
argument = "oid"
help = "content type oid"
}
option = {
long = "content-info"
type = "flag"
help = "wrapped out-data in a ContentInfo"
}
option = {
long = "pem"
type = "flag"
help = "wrap out-data in PEM armor"
}
option = {
long = "detached-signature"
type = "flag"
help = "create a detached signature"
}
option = {
long = "signer"
type = "-flag"
help = "do not sign"
}
option = {
long = "id-by-name"
type = "flag"
help = "use subject name for CMS Identifier"
}
option = {
long = "embedded-certs"
type = "-flag"
help = "don't embed certificates"
}
option = {
long = "embed-leaf-only"
type = "flag"
help = "only embed leaf certificate"
}
min_args="1"
max_args="2"
argument="in-file out-file"
help = "Wrap a file within a SignedData object"
}
command = {
name = "cms-verify-sd"
option = {
long = "anchors"
short = "D"
type = "strings"
argument = "certificate-store"
help = "trust anchors"
}
option = {
long = "certificate"
short = "c"
type = "strings"
argument = "certificate-store"
help = "certificate store to pull certificates from"
}
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
option = {
long = "missing-revoke"
type = "flag"
help = "missing CRL/OCSP is ok"
}
option = {
long = "content-info"
type = "flag"
help = "unwrap in-data that's in a ContentInfo"
}
option = {
long = "pem"
type = "flag"
help = "unwrap in-data from PEM armor"
}
option = {
long = "signer-allowed"
type = "-flag"
help = "allow no signer"
}
option = {
long = "allow-wrong-oid"
type = "flag"
help = "allow wrong oid flag"
}
option = {
long = "signed-content"
type = "string"
help = "file containing content"
}
option = {
long = "oid-sym"
type = "flag"
help = "show symbolic name for OID"
}
min_args="1"
max_args="2"
argument="in-file [out-file]"
help = "Verify a file within a SignedData object"
}
command = {
name = "cms-unenvelope"
option = {
long = "certificate"
short = "c"
type = "strings"
argument = "certificate-store"
help = "certificate used to decrypt the data"
}
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
option = {
long = "content-info"
type = "flag"
help = "wrapped out-data in a ContentInfo"
}
option = {
long = "allow-weak-crypto"
type = "flag"
help = "allow weak crypto"
}
min_args="2"
argument="in-file out-file"
help = "Unenvelope a file containing a EnvelopedData object"
}
command = {
name = "cms-envelope"
function = "cms_create_enveloped"
option = {
long = "certificate"
short = "c"
type = "strings"
argument = "certificate-store"
help = "certificates used to receive the data"
}
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
option = {
long = "encryption-type"
type = "string"
argument = "enctype"
help = "enctype"
}
option = {
long = "content-type"
type = "string"
argument = "oid"
help = "content type oid"
}
option = {
long = "content-info"
type = "flag"
help = "wrapped out-data in a ContentInfo"
}
option = {
long = "allow-weak-crypto"
type = "flag"
help = "allow weak crypto"
}
min_args="2"
argument="in-file out-file"
help = "Envelope a file containing a EnvelopedData object"
}
command = {
name = "verify"
function = "pcert_verify"
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
option = {
long = "allow-proxy-certificate"
type = "flag"
help = "allow proxy certificates"
}
option = {
long = "missing-revoke"
type = "flag"
help = "missing CRL/OCSP is ok"
}
option = {
long = "time"
type = "string"
help = "time when to validate the chain"
}
option = {
long = "verbose"
short = "v"
type = "flag"
help = "verbose logging"
}
option = {
long = "max-depth"
type = "integer"
help = "maximum search length of certificate trust anchor"
}
option = {
long = "hostname"
type = "string"
help = "match hostname to certificate"
}
argument = "cert:foo chain:cert1 chain:cert2 anchor:anchor1 anchor:anchor2"
help = "Verify certificate chain"
}
command = {
name = "print"
function = "pcert_print"
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
option = {
long = "content"
type = "flag"
help = "print the content of the certificates"
}
option = {
long = "never-fail"
type = "flag"
help = "never fail with an error code"
}
option = {
long = "info"
type = "flag"
help = "print the information about the certificate store"
}
min_args="1"
argument="certificate ..."
help = "Print certificates"
}
command = {
name = "validate"
function = "pcert_validate"
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
min_args="1"
argument="certificate ..."
help = "Validate content of certificates"
}
command = {
name = "certificate-copy"
name = "cc"
option = {
long = "in-pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
option = {
long = "out-pass"
type = "string"
argument = "password"
help = "password, prompter, or environment"
}
min_args="2"
argument="in-certificates-1 ... out-certificate"
help = "Copy in certificates stores into out certificate store"
}
command = {
name = "ocsp-fetch"
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
option = {
long = "sign"
type = "string"
argument = "certificate"
help = "certificate use to sign the request"
}
option = {
long = "url-path"
type = "string"
argument = "url"
help = "part after host in url to put in the request"
}
option = {
long = "nonce"
type = "-flag"
default = "1"
help = "don't include nonce in request"
}
option = {
long = "pool"
type = "strings"
argument = "certificate-store"
help = "pool to find parent certificate in"
}
min_args="2"
argument="outfile certs ..."
help = "Fetch OCSP responses for the following certs"
}
command = {
option = {
long = "ocsp-file"
type = "string"
help = "OCSP file"
}
name = "ocsp-verify"
min_args="1"
argument="certificates ..."
help = "Check that certificates are in OCSP file and valid"
}
command = {
name = "ocsp-print"
option = {
long = "verbose"
type = "flag"
help = "verbose"
}
min_args="1"
argument="ocsp-response-file ..."
help = "Print the OCSP responses"
}
command = {
name = "revoke-print"
option = {
long = "verbose"
type = "flag"
help = "verbose"
}
min_args="1"
argument="ocsp/crl files"
help = "Print the OCSP/CRL files"
}
command = {
name = "generate-key"
option = {
long = "type"
type = "string"
help = "keytype"
}
option = {
long = "key-bits"
type = "integer"
help = "number of bits in the generated key";
}
option = {
long = "verbose"
type = "flag"
help = "verbose status"
}
min_args="1"
max_args="1"
argument="output-file"
help = "Generate a private key"
}
command = {
name = "request-create"
option = {
long = "subject"
type = "string"
help = "Subject DN"
}
option = {
long = "eku"
type = "strings"
argument = "oid-string"
help = "Add Extended Key Usage OID"
}
option = {
long = "email"
type = "strings"
help = "Email address in SubjectAltName"
}
option = {
long = "jid"
type = "strings"
help = "XMPP (Jabber) address in SubjectAltName"
}
option = {
long = "dnsname"
type = "strings"
help = "Hostname or domainname in SubjectAltName"
}
option = {
long = "kerberos"
type = "strings"
help = "Kerberos principal name as SubjectAltName"
}
option = {
long = "ms-kerberos"
type = "strings"
help = "Kerberos principal name as SubjectAltName (Microsoft variant)"
}
option = {
long = "registered"
type = "strings"
help = "Registered object ID as SubjectAltName"
}
option = {
long = "dn"
type = "strings"
help = "Directory name as SubjectAltName"
}
option = {
long = "type"
type = "string"
help = "Type of request CRMF or PKCS10, defaults to PKCS10"
}
option = {
long = "key"
type = "string"
help = "Key-pair"
}
option = {
long = "generate-key"
type = "string"
help = "keytype"
}
option = {
long = "key-bits"
type = "integer"
help = "number of bits in the generated key";
}
option = {
long = "verbose"
type = "flag"
help = "verbose status"
}
min_args="1"
max_args="1"
argument="output-file"
help = "Create a CRMF or PKCS10 request"
}
command = {
name = "request-print"
option = {
long = "verbose"
type = "flag"
help = "verbose printing"
}
min_args="1"
argument="requests ..."
help = "Print requests"
}
command = {
name = "query"
option = {
long = "exact"
type = "flag"
help = "exact match"
}
option = {
long = "private-key"
type = "flag"
help = "search for private key"
}
option = {
long = "friendlyname"
type = "string"
argument = "name"
help = "match on friendly name"
}
option = {
long = "eku"
type = "string"
argument = "oid-string"
help = "match on EKU"
}
option = {
long = "expr"
type = "string"
argument = "expression"
help = "match on expression"
}
option = {
long = "keyEncipherment"
type = "flag"
help = "match keyEncipherment certificates"
}
option = {
long = "digitalSignature"
type = "flag"
help = "match digitalSignature certificates"
}
option = {
long = "print"
type = "flag"
help = "print matches"
}
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
min_args="1"
argument="certificates ..."
help = "Query the certificates for a match"
}
command = {
name = "info"
}
command = {
name = "random-data"
min_args="1"
argument="bytes"
help = "Generates random bytes and prints them to standard output"
}
command = {
option = {
long = "type"
type = "string"
help = "type of CMS algorithm"
}
option = {
long = "oid-syms"
type = "flag"
help = "show symbolic names for OIDs"
}
name = "crypto-available"
min_args="0"
help = "Print available CMS crypto types"
}
command = {
option = {
long = "type"
type = "string"
help = "type of CMS algorithm"
}
option = {
long = "certificate"
type = "string"
help = "source certificate limiting the choices"
}
option = {
long = "peer-cmstype"
type = "strings"
help = "peer limiting cmstypes"
}
option = {
long = "oid-sym"
type = "flag"
help = "show symbolic name for OID"
}
name = "crypto-select"
min_args="0"
help = "Print selected CMS type"
}
command = {
option = {
long = "decode"
short = "d"
type = "flag"
help = "decode instead of encode"
}
name = "hex"
function = "hxtool_hex"
min_args="0"
help = "Encode input to hex"
}
command = {
option = {
long = "issue-ca"
type = "flag"
help = "Issue a CA certificate"
}
option = {
long = "issue-proxy"
type = "flag"
help = "Issue a proxy certificate"
}
option = {
long = "domain-controller"
type = "flag"
help = "Issue a MS domaincontroller certificate"
}
option = {
long = "subject"
type = "string"
help = "Subject of issued certificate"
}
option = {
long = "ca-certificate"
type = "string"
help = "Issuing CA certificate"
}
option = {
long = "self-signed"
type = "flag"
help = "Issuing a self-signed certificate"
}
option = {
long = "ca-private-key"
type = "string"
help = "Private key for self-signed certificate"
}
option = {
long = "certificate"
type = "string"
help = "Issued certificate"
}
option = {
long = "type"
type = "strings"
help = "Types of certificate to issue (can be used more then once)"
}
option = {
long = "lifetime"
type = "string"
help = "Lifetime of certificate"
}
option = {
long = "signature-algorithm"
type = "string"
help = "Signature algorithm to use"
}
option = {
long = "serial-number"
type = "string"
help = "serial-number of certificate"
}
option = {
long = "path-length"
default = "-1"
type = "integer"
help = "Maximum path length (CA and proxy certificates), -1 no limit"
}
option = {
long = "eku"
type = "strings"
argument = "oid-string"
help = "Add Extended Key Usage OID"
}
option = {
long = "ku"
type = "strings"
help = "Key Usage (digitalSignature, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly)"
}
option = {
long = "hostname"
type = "strings"
help = "DNS names this certificate is allowed to serve"
}
option = {
long = "email"
type = "strings"
help = "email addresses assigned to this certificate"
}
option = {
long = "pk-init-principal"
type = "strings"
help = "PK-INIT principal (for SAN)"
}
option = {
long = "ms-upn"
type = "string"
help = "Microsoft UPN (for SAN)"
}
option = {
long = "jid"
type = "string"
help = "XMPP jabber id (for SAN)"
}
option = {
long = "req"
type = "string"
help = "certificate request"
}
option = {
long = "certificate-private-key"
type = "string"
help = "private-key"
}
option = {
long = "generate-key"
type = "string"
help = "keytype"
}
option = {
long = "key-bits"
type = "integer"
help = "number of bits in the generated key"
}
option = {
long = "crl-uri"
type = "string"
help = "URI to CRL"
}
option = {
long = "template-certificate"
type = "string"
help = "certificate"
}
option = {
long = "template-fields"
type = "string"
help = "flag"
}
name = "certificate-sign"
name = "cert-sign"
name = "issue-certificate"
name = "ca"
function = "hxtool_ca"
min_args="0"
help = "Issue a certificate"
}
command = {
name = "test-crypto"
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
option = {
long = "verbose"
type = "flag"
help = "verbose printing"
}
min_args="1"
argument="certificates..."
help = "Test crypto system related to the certificates"
}
command = {
option = {
long = "type"
type = "integer"
help = "type of statistics"
}
name = "statistic-print"
min_args="0"
help = "Print statistics"
}
command = {
option = {
long = "signer"
type = "string"
help = "signer certificate"
}
option = {
long = "pass"
type = "strings"
argument = "password"
help = "password, prompter, or environment"
}
option = {
long = "crl-file"
type = "string"
help = "CRL output file"
}
option = {
long = "lifetime"
type = "string"
help = "time the crl will be valid"
}
name = "crl-sign"
min_args="0"
argument="certificates..."
help = "Create a CRL"
}
command = {
name = "help"
name = "?"
argument = "[command]"
min_args = "0"
max_args = "1"
help = "Help! I need somebody"
}
Reference in New Issue View Git Blame Copy Permalink